Computerworld - Security firms today warned Mac users of a new Trojan horse that masquerades as a PDF document.
The malware, which was spotted by U.K.-based Sophos and Finnish antivirus vendor F-Secure, uses a technique long practiced by Windows attackers.
"This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a '.pdf.exe' extension and an accompanying PDF icon," said F-Secure today.
That practice relies on what is called the "double extension" trick: adding the characters ".pdf" to the filename to disguise an executable file.
The Mac malware uses a two-step process, composed of a Trojan "dropper" utility that downloads a second element, a Trojan "backdoor" that then connects to a remote server controlled by the attacker, using that communications channel to send information gleaned from the infected Mac and receiving additional instructions from the hacker.
Because it doesn't exploit a vulnerability in Mac OS X -- or any other software -- the malware instead must dupe users into downloading and opening the seemingly-innocuous PDF document, which is actually an executable.
Once run, the dropper downloads the second-stage backdoor and opens a Chinese-language PDF. F-Secure said that the PDF was another sleight-of-hand trick: "[The dropper component] drops a PDF file in the /tmp folder, then opens it to distract the user from noticing any other activity occurring," the company said in a description of the attack.
Both Sophos and F-Secure noted that the malware doesn't work reliably, and currently can't connect to the command-and-control (C&C) server because the latter isn't fully functional.
Mac malware is typically crude in comparison with what targets Windows PCs.
Because the C&C server is not yet operational and since it found samples of the Trojans on VirusTotal -- a free service that runs malware against a host of antivirus engines -- F-Secure speculated that the malware is still in the testing phase.
Although Apple's Mac OS X includes a bare-bones antivirus detector, it has not been updated to detect the just-noticed Trojan dropper or backdoor. Checks of several Computerworld Macs running Lion, for instance, found that Apple last updated its detector on Aug. 9.
Mac users had their biggest malware scare earlier this year, when a series of fake security programs, dubbed "scareware," were aimed at them.
Several antivirus companies, including Sophos, F-Secure and Intego, offer security software for the Mac.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
Scareware comprises several classes of ransomware or scam software with malicious payloads, usually of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user. Some forms of spyware and adware also use scareware tactics.
A tactic frequently used by criminals involves convincing users that a virus has infected their computer, then suggesting that they download (and pay for) fake antivirus software to remove it. Usually the virus is entirely fictional and the software is non-functional or malware itself. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.
The "scareware" label can also apply to any application or virus (not necessarily sold as above) which pranks users with intent to cause anxiety or panic.
Internet Security bloggers/writers use the term "scareware" to describe software products that produce frivolous and alarming warnings or threat notices, most typically for fictitious or useless commercial firewall and registry cleaner software. This class of program tries to increase its perceived value by bombarding the user with constant warning messages that do not increase its effectiveness in any way. Software is packaged with a look and feel that mimics legitimate security software in order to deceive consumers.
Some websites display pop-up advertisement windows or banners with text such as: "Your computer may be infected with harmful spyware programs. Immediate removal may be required. To scan, click 'Yes' below." These websites can go as far as saying that a user's job, career, or marriage would be at risk. Products using advertisements such as these are often considered scareware. Serious scareware applications qualify as rogue software.
In recent[when?] findings some scareware is not affiliated with any other installed programs. A user can encounter a pop-up on a website indicating that their PC is infected. In some scenarios it is possible to become infected with scareware even if the user attempts to cancel the notification. These popups are especially designed to look like they come from the user's operating system when they are actually a webpage.
Research by Google discovered that scareware was using some of its servers to check for internet connectivity. The data suggested that up to a million machines were infected with scareware. The company has placed a warning in the search results of users whose computers appear to be infected.
Some forms of spyware also qualify as scareware because they change the user's desktop background, install icons in the computer's notification area (under Microsoft Windows), and generally make a nuisance of themselves, claiming that some kind of spyware has infected the user's computer and that the scareware application will help to remove the infection. In some cases, scareware trojans have replaced the desktop of the victim with large, yellow text reading "Warning! You have spyware!" or a box containing similar text, and have even forced the screensaver to change to "bugs" crawling across the screen. Winwebsec is the term usually used to address the malwares that attacks the users of Windows operating system and produce fake claims as genuine Anti-Malware software.
SpySheriff, exemplifies spyware/scareware: it purports to remove spyware, but is actually a piece of spyware in itself, often accompanying SmitFraud infections. Other AntiSpyware Scareware may be promoted using a Phishing scam.
Another example of Scareware is Smart Fortress. This site scares people into thinking they have lots of viruses on their computer and asks them to buy the professional service.
Uninstallation of security software
Another approach is to trick users into uninstalling legitimate antivirus software, such as Microsoft Security Essentials, or disabling their firewall.
In 2005, Microsoft and Washington State successfully sued Secure Computer (makers of Spyware Cleaner) for $1 million over charges of using scareware pop-ups. Washington's attorney general has also brought lawsuits against Securelink Networks, High Falls Media and the makers of Quick Shield.
In October 2008, Microsoft and the Washington attorney general filed a lawsuit against two Texas firms, Branch Software and Alpha Red, producers of the Registry Cleaner XP scareware. The lawsuit alleges that the company sent incessant pop-ups resembling system warnings to consumers' personal computers stating "CRITICAL ERROR MESSAGE! - REGISTRY DAMAGED AND CORRUPTED", before instructing users to visit a web site to download Registry Cleaner XP at a cost of $39.95.
On December 2, 2008, the U.S. Federal Trade Commission (“FTC”) filed a Complaint in federal court against Innovative Marketing, Inc., ByteHosting Internet Services, LLC, as well as individuals Sam Jain, Daniel Sundin, James Reno, Marc D’Souza and Kristy Ross. The Complaint also listed Maurice D’Souza as a Relief Defendant, alleged that he held proceeds of wrongful conduct but not accusing him of violating any law. The FTC alleged that the other Defendants violated the FTC Act by deceptively marketing software, including WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. According to the complaint, the Defendants falsely represented that scans of a consumer’s computer showed that it is had been compromised or infected and then offered to sell software to fix the alleged problems. The FTC alleged that the unlawful conduct netted the Defendants more than $100 million. On June 25, 2009, the FTC reached a settlement with two defendants, James Reno and ByteHosting Internet Services, LLC. The settlement required the two defendants to pay nearly $1.9 million to the FTC. The settlement also prohibited James Reno and ByteHosting from using deceptive “scareware” advertising tactics and from installing malicious programs on consumers’ computers. On February 10, 2010 the United States District Court for the District of Maryland entered a default judgment and order for permanent injunction against Jain, Sundin and Innovative Marketing, Inc. that imposed a judgment of more than $163 million. Subsequently, on May 26, 2010, Jain, Sundin and Reno were indicted by a federal grand jury for the United States District Court, Northern District of Illinois for wire fraud and conspiracy to commit computer fraud. The indictment alleges that from December 2006 to October 2008, Jain and Sundin placed false advertisements on the websites of legitimate companies. Currently both Jain and Sundin are fugitives and the FBI is offering a $20,000 reward for information that leads to their arrest.. On January 10, 2011 the FTC reached a settlement with Marc and Maurice D’Souza which resolved the lawsuit brought by the FTC. The settlement required the D’Souzas, who had voluntarily terminated their relationship with the other Defendants at the end of 2006—before much of the alleged unlawful conduct took place, to assist the FTC in obtaining $5 million that was being held in an escrow account and to pay an additional $3.2 million to the FTC.
Another type of scareware involves software designed to literally scare the user through the use of unanticipated shocking images, sounds or video.
- The first program of this type is generally credited[by whom?] to be NightMare, a program distributed on the Fish Disks for the Amiga computer (Fish #448) in 1991. When NightMare executes, it lies dormant for an extended (and random) period of time, finally changing the entire screen of the computer to an image of a skull while playing a horrifying shriek on the audio channels.
- Anxiety-based scareware puts users in situations where there are no positive outcomes. For example, a small program can present a dialog box saying "Erase everything on hard drive?" with two buttons, both labeled "OK". Regardless of which button is chosen, nothing is destroyed other than the user's composure.
- This tactic was used in an advertisement campaign by Sir-Tech in 1997 to advertise Virus: The Game. When the file is run, a full screen representation of the desktop appears. The software then begins simulating deletion of the Windows folder. When this process is complete, a message is slowly typed on screen saying "Thank God this is only a game." A screen with the purchase information appears on screen and then returns to the desktop. No damage is done to the computer during the advertisement.
- "Millions tricked by 'scareware'". BBC News. 2009-10-19. Retrieved 2009-10-20.
- 'Scareware' scams trick searchers. BBC News (2009-03-23). Retrieved on 2009-03-23.
- "Scareware scammers adopt cold call tactics". The Register. 2009-04-10. Retrieved 2009-04-12.
- Phishing Activity Trends Report: 1st Half 2009
- John Leydon (2009-10-20). "Scareware Mr Bigs enjoy 'low risk' crime bonanza". The Register. Retrieved 2009-10-21.
- "Symantec Security Response: Misleading Applications". Symantec. 2007-08-31. Retrieved 2010-04-15.
- JM Hipolito (2009-06-04). "Air France Flight 447 Search Results Lead to Rogue Antivirus". Trend Micro. Retrieved 2009-06-06.
- Moheeb Abu Rajab and Luca Ballard (2010-04-13). The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution. Google. Retrieved 2010-11-18.
- "Google to Warn PC Virus Victims via Search Site". BBC News. 2011-07-21. Retrieved 2011-07-22.
- spywarewarrior.com filed under "Brave Sentry."
- Etengoff, Aharon (2008-09-29). "Washington and Microsoft target spammers". The Inquirer. Retrieved 2008-10-04.
- "Microsoft to sue scareware security vendors". Lunarsoft. 2008-09-29. Retrieved 2009-09-24. "[...] the Washington attorney general (AG) [...] has also brought lawsuits against companies such as Securelink Networks and High Falls Media, and the makers of a product called QuickShield, all of whom were accused of marketing their products using deceptive techniques such as fake alert messages."
- "Fighting the scourge of scareware". BBC News. 2008-10-01. Retrieved 2008-10-02.
- "Win software". Federal Trade Commission.
- "Wanted by the FBI - SHAILESHKUMAR P. JAIN". FBI.
- "D’Souza Final Order". Federal Trade Commission.
- Contents of disk #448. Amiga-stuff.com - see DISK 448.
- Dark Drive Prank
- Demonstration of scareware on YouTube
- The Case of the Unusable System
- Yes, that PC cleanup app you saw on TV at 3 a.m. is a waste